From e4d8eaa15ff61b8f9643bdaf41d9d0c763372d6d Mon Sep 17 00:00:00 2001 From: github-actions Date: Mon, 6 Nov 2023 18:14:30 +0000 Subject: [PATCH] Auto-update tekton resources --- tasks/buildah/0.6/README.md | 64 --------- tasks/buildah/0.6/buildah.yaml | 114 ---------------- tasks/buildah/0.6/samples/dockerconfig.yaml | 67 ---------- .../samples/openshift-internal-registry.yaml | 87 ------------ .../internal-registry/internal-registry.yaml | 50 ------- tasks/buildah/0.6/tests/run.sh | 96 ------------- tasks/buildah/0.6/tests/run.yaml | 126 ------------------ tasks/buildah/README.md | 6 - tasks/buildah/buildah.yaml | 95 ------------- 9 files changed, 705 deletions(-) delete mode 100644 tasks/buildah/0.6/README.md delete mode 100644 tasks/buildah/0.6/buildah.yaml delete mode 100644 tasks/buildah/0.6/samples/dockerconfig.yaml delete mode 100644 tasks/buildah/0.6/samples/openshift-internal-registry.yaml delete mode 100644 tasks/buildah/0.6/tests/internal-registry/internal-registry.yaml delete mode 100644 tasks/buildah/0.6/tests/run.sh delete mode 100644 tasks/buildah/0.6/tests/run.yaml delete mode 100644 tasks/buildah/README.md delete mode 100644 tasks/buildah/buildah.yaml diff --git a/tasks/buildah/0.6/README.md b/tasks/buildah/0.6/README.md deleted file mode 100644 index a39db6f6..00000000 --- a/tasks/buildah/0.6/README.md +++ /dev/null @@ -1,64 +0,0 @@ -# Buildah - -This Task builds source into a container image using Project Atomic's -[Buildah](https://github.com/projectatomic/buildah) build tool. It uses -Buildah's support for building from -[`Dockerfile`](https://docs.docker.com/engine/reference/builder/)s, using its -`buildah bud` command. This command executes the directives in the `Dockerfile` -to assemble a container image, then pushes that image to a container registry. - -## Install the Task - -TBD - -## Parameters - -* **IMAGE**: The name (reference) of the image to build. -* **DOCKERFILE**: The path to the `Dockerfile` to execute (_default:_ - `./Dockerfile`) -* **CONTEXT**: Path to the directory to use as context (_default:_ - `.`) -* **TLSVERIFY**: Verify the TLS on the registry endpoint (for push/pull to a - non-TLS registry) (_default:_ `true`) -* **FORMAT**: The format of the built container, oci or docker (_default:_ - `oci`) -* **BUILD_EXTRA_ARGS**: Extra parameters passed for the build command when - building images. (_default:_ `""`) -* **PUSH_EXTRA_ARGS**: Extra parameters passed for the push command when - pushing images. (_default:_ `""`) -* **SKIP_PUSH**: Skip pushing the built image (_default:_ `false`) - -## Workspaces - -* **source**: A [Workspace](https://github.com/tektoncd/pipeline/blob/main/docs/workspaces.md) containing the source to build. -* **sslcertdir**: An [*optional* Workspace](https://github.com/tektoncd/pipeline/blob/v0.17.0/docs/workspaces.md#optional-workspaces) containing your custom SSL certificates to connect to the registry. Buildah will look for files ending with *.crt, *.cert, *.key into this workspace. See [this sample](./samples/openshift-internal-registry.yaml) for a complete example on how to use it with OpenShift internal registry. -- **dockerconfig**: An [optional workspace](https://github.com/tektoncd/pipeline/blob/main/docs/workspaces.md#using-workspaces-in-tasks) that allows providing a `.docker/config.json` file for Buildah to access the container registry. The file should be placed at the root of the Workspace with name `config.json`. See [this sample](./samples/dockerconfig.yaml) for a complete example on how to use `dockerconfig` to access container registry. _(optional)_ - -## Platforms - -The Task can be run on `linux/amd64`, `linux/s390x`, `linux/arm64` and `linux/ppc64le` platforms. - -## Usage - -This TaskRun runs the Task to fetch a Git repo, and build and push a container -image using Buildah. - -```yaml -apiVersion: tekton.dev/v1beta1 -kind: TaskRun -metadata: - name: buildah-build-my-repo -spec: - taskRef: - name: buildah - params: - - name: IMAGE - value: gcr.io/my-repo/my-image - workspaces: - - name: source - persistentVolumeClaim: - claimName: my-source -``` - -In this example, the Git repo being built is expected to have a `Dockerfile` at -the root of the repository. diff --git a/tasks/buildah/0.6/buildah.yaml b/tasks/buildah/0.6/buildah.yaml deleted file mode 100644 index 36b4e72d..00000000 --- a/tasks/buildah/0.6/buildah.yaml +++ /dev/null @@ -1,114 +0,0 @@ ---- -apiVersion: tekton.dev/v1beta1 -kind: Task -metadata: - name: buildah - labels: - app.kubernetes.io/version: "0.6" - annotations: - tekton.dev/categories: Image Build - tekton.dev/pipelines.minVersion: "0.44.0" - tekton.dev/tags: image-build - tekton.dev/platforms: "linux/amd64,linux/s390x,linux/ppc64le,linux/arm64" -spec: - description: >- - Buildah task builds source into a container image and - then pushes it to a container registry. - - Buildah Task builds source into a container image using Project Atomic's - Buildah build tool.It uses Buildah's support for building from Dockerfiles, - using its buildah bud command.This command executes the directives in the - Dockerfile to assemble a container image, then pushes that image to a - container registry. - - params: - - name: IMAGE - description: Reference of the image buildah will produce. - - name: STORAGE_DRIVER - description: Set buildah storage driver - default: vfs - - name: DOCKERFILE - description: Path to the Dockerfile to build. - default: ./Dockerfile - - name: CONTEXT - description: Path to the directory to use as context. - default: . - - name: TLSVERIFY - description: Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry) - default: "true" - - name: FORMAT - description: The format of the built container, oci or docker - default: "oci" - - name: BUILD_EXTRA_ARGS - description: Extra parameters passed for the build command when building images. - default: "" - - name: PUSH_EXTRA_ARGS - description: Extra parameters passed for the push command when pushing images. - type: string - default: "" - - name: SKIP_PUSH - description: Skip pushing the built image - default: "false" - workspaces: - - name: source - - name: sslcertdir - optional: true - - name: dockerconfig - description: >- - An optional workspace that allows providing a .docker/config.json file - for Buildah to access the container registry. - The file should be placed at the root of the Workspace with name config.json. - optional: true - results: - - name: IMAGE_DIGEST - description: Digest of the image just built. - - name: IMAGE_URL - description: Image repository where the built image would be pushed to - steps: - - name: build - image: quay.io/buildah/stable:v1.29.0 - workingDir: $(workspaces.source.path) - script: | - [[ "$(workspaces.sslcertdir.bound)" == "true" ]] && CERT_DIR_FLAG="--cert-dir $(workspaces.sslcertdir.path)" - - if [[ "$(workspaces.dockerconfig.bound)" == "true" ]]; then - - # if config.json exists at workspace root, we use that - if test -f "$(workspaces.dockerconfig.path)/config.json"; then - export DOCKER_CONFIG="$(workspaces.dockerconfig.path)" - - # else we look for .dockerconfigjson at the root - elif test -f "$(workspaces.dockerconfig.path)/.dockerconfigjson"; then - cp "$(workspaces.dockerconfig.path)/.dockerconfigjson" "$HOME/.docker/config.json" - export DOCKER_CONFIG="$HOME/.docker" - - # need to error out if neither files are present - else - echo "neither 'config.json' nor '.dockerconfigjson' found at workspace root" - exit 1 - fi - fi - - # Build - buildah ${CERT_DIR_FLAG} --storage-driver=$(params.STORAGE_DRIVER) bud \ - $(params.BUILD_EXTRA_ARGS) --format=$(params.FORMAT) \ - --tls-verify=$(params.TLSVERIFY) --no-cache \ - -f $(params.DOCKERFILE) -t $(params.IMAGE) $(params.CONTEXT) - - # Push - [[ "$(params.SKIP_PUSH)" == "true" ]] && echo "Push skipped" && exit 0 - buildah ${CERT_DIR_FLAG} --storage-driver=$(params.STORAGE_DRIVER) push \ - $(params.PUSH_EXTRA_ARGS) --tls-verify=$(params.TLSVERIFY) \ - --digestfile /tmp/image-digest $(params.IMAGE) \ - docker://$(params.IMAGE) - cat /tmp/image-digest | tee $(results.IMAGE_DIGEST.path) - echo -n "$(params.IMAGE)" | tee $(results.IMAGE_URL.path) - volumeMounts: - - name: varlibcontainers - mountPath: /var/lib/containers - securityContext: - capabilities: - add: ["SETFCAP"] - volumes: - - name: varlibcontainers - emptyDir: {} diff --git a/tasks/buildah/0.6/samples/dockerconfig.yaml b/tasks/buildah/0.6/samples/dockerconfig.yaml deleted file mode 100644 index fb231849..00000000 --- a/tasks/buildah/0.6/samples/dockerconfig.yaml +++ /dev/null @@ -1,67 +0,0 @@ ---- -apiVersion: v1 -kind: Secret -metadata: - name: dockerconfig-secret -stringData: - config.json: | - { - "auths" : { - "icr.io" : { - "auth" : "iamapikey", - "identitytoken" : "test123test123" - } - } - } ---- -apiVersion: tekton.dev/v1beta1 -kind: PipelineRun -metadata: - name: buildah-test-pipeline-run -spec: - pipelineSpec: - workspaces: - - name: shared-workspace - - name: sslcertdir - optional: true - - name: dockerconfig-ws - optional: true - tasks: - - name: fetch-repository - taskRef: - name: git-clone - workspaces: - - name: output - workspace: shared-workspace - params: - - name: url - value: https://github.com/sclorg/nodejs-ex - - name: subdirectory - value: "" - - name: deleteExisting - value: "true" - - name: buildah - taskRef: - name: buildah - runAfter: - - fetch-repository - workspaces: - - name: source - workspace: shared-workspace - - name: dockerconfig - workspace: dockerconfig-ws - params: - - name: IMAGE - value: - workspaces: - - name: shared-workspace - volumeClaimTemplate: - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 100Mi - - name: dockerconfig-ws - secret: - secretName: dockerconfig-secret diff --git a/tasks/buildah/0.6/samples/openshift-internal-registry.yaml b/tasks/buildah/0.6/samples/openshift-internal-registry.yaml deleted file mode 100644 index f2c6075e..00000000 --- a/tasks/buildah/0.6/samples/openshift-internal-registry.yaml +++ /dev/null @@ -1,87 +0,0 @@ -# Your custom CA, on OpenShift to be able to get the internal registry custom -# certificates you can just import it to your namespace with : -# oc get configmaps \ -# -n openshift-controller-manager openshift-service-ca -o yaml | \ -# sed '/namespace/d'|kubectl apply -f- ---- -kind: ConfigMap -metadata: - name: openshift-service-ca -apiVersion: v1 -data: - service-ca.crt: | - -----BEGIN CERTIFICATE----- - MIIDUTCCAjmgAwIB................................................ - ................................................................ - ................................................................ - ................................................................ - ................................................................ - ................................................................ - ................................................................ - ................................................................ - ................................................................ - ................................................................ - ................................................................ - ................................................................ - ................................................................ - ................................................................ - ................................................................ - ................................................................ - ................................................................ - ................................................................ - .................................................... - -----END CERTIFICATE----- ---- -apiVersion: tekton.dev/v1beta1 -kind: PipelineRun -metadata: - generateName: buildah-custom-ca- -spec: - workspaces: - - name: shared-workspace - volumeClaimTemplate: - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi - # Make sure the path ends up as ca.crt or buildah would not be able to find - # it. - - name: sslcertdir - configMap: - name: openshift-service-ca - defaultMode: 420 - items: - - key: service-ca.crt - path: ca.crt - namespace: openshift-controller-manager - pipelineSpec: - workspaces: - - name: shared-workspace - - name: sslcertdir - optional: true - tasks: - - name: fetch-repository - taskRef: - name: git-clone - workspaces: - - name: output - workspace: shared-workspace - params: - - name: url - value: https://github.com/kelseyhightower/nocode - - name: buildah - taskRef: - name: buildah - runAfter: - - fetch-repository - workspaces: - - name: source - workspace: shared-workspace - - name: sslcertdir - workspace: sslcertdir - params: - # This will push to the openshift internal registry - - name: IMAGE - value: image-registry.openshift-image-registry.svc:5000/$(context.pipelineRun.namespace)/$(context.pipelineRun.name) diff --git a/tasks/buildah/0.6/tests/internal-registry/internal-registry.yaml b/tasks/buildah/0.6/tests/internal-registry/internal-registry.yaml deleted file mode 100644 index 7fc6f7d1..00000000 --- a/tasks/buildah/0.6/tests/internal-registry/internal-registry.yaml +++ /dev/null @@ -1,50 +0,0 @@ ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: registry -spec: - selector: - matchLabels: - run: registry - replicas: 1 - template: - metadata: - labels: - run: registry - spec: - containers: - - name: registry - image: docker.io/registry:2 - ports: - - containerPort: 5000 - volumeMounts: - - name: sslcert - mountPath: /certs - env: - - name: REGISTRY_HTTP_TLS_CERTIFICATE - value: "/certs/ca.crt" - - name: REGISTRY_HTTP_TLS_KEY - value: "/certs/ca.key" - - name: REGISTRY_HTTP_SECRET - value: "tekton" - volumes: - - name: sslcert - configMap: - defaultMode: 420 - items: - - key: ca.crt - path: ca.crt - - key: ca.key - path: ca.key - name: sslcert ---- -apiVersion: v1 -kind: Service -metadata: - name: registry -spec: - ports: - - port: 5000 - selector: - run: registry diff --git a/tasks/buildah/0.6/tests/run.sh b/tasks/buildah/0.6/tests/run.sh deleted file mode 100644 index 9435b012..00000000 --- a/tasks/buildah/0.6/tests/run.sh +++ /dev/null @@ -1,96 +0,0 @@ -#!/usr/bin/env bash - -set -e - -KUBECTL=kubectl -if [[ "$1" == "openshift" ]]; then - KUBECTL=oc -fi - -tns=buildah-test - -# Run a secure registry as a sidecar to allow the tasks to push to this registry using the certs. -# It will create a configmap `sslcert` with certificate available at key `ca.crt` -function add_sidecar_secure_registry() { - TMD=$(mktemp -d) - - # Generate SSL Certificate - openssl req -newkey rsa:4096 -nodes -sha256 -keyout "${TMD}"/ca.key -x509 -days 365 \ - -addext "subjectAltName = DNS:registry" \ - -out "${TMD}"/ca.crt -subj "/C=FR/ST=IDF/L=Paris/O=Tekton/OU=Catalog/CN=registry" - - # Create a configmap from these certs - ${KUBECTL} create -n "${tns}" configmap sslcert \ - --from-file=ca.crt="${TMD}"/ca.crt --from-file=ca.key="${TMD}"/ca.key - - # Add a secure internal registry as sidecar - ${KUBECTL} create -n "${tns}" -f ./internal-registry/internal-registry.yaml -} - -cd "$(dirname "$0")" -${KUBECTL} create namespace ${tns} - -add_sidecar_secure_registry - -# Add git-clone -${KUBECTL} -n ${tns} apply -f https://raw.githubusercontent.com/tektoncd/catalog/main/task/git-clone/0.7/git-clone.yaml -${KUBECTL} -n ${tns} apply -f ../buildah.yaml - -${KUBECTL} -n ${tns} create -n buildah-test -f ./run.yaml - -tkn_pr_status() { - namespace=$1 - name=$2 - ${KUBECTL} -n $namespace get $name -o jsonpath='{.status.conditions[?(@.type == "Succeeded")].status}' -} - -tkn_pr_done () { - status=$(tkn_pr_status "$@") - [ "$status" == "True" ] || [ "$status" == "False" ] -} - -function tkn_pr_wait { - # usage: wait_for_pr - timeout=$(($1 + $(date +%s))) - shift - - while :; do - if [ $(date +%s) -gt $timeout ]; then - echo "Timeout exceeded waiting for pipeline run to complete" - return 1 - fi - - if tkn_pr_done "$@"; then - echo "Pipelinerun has finished" - return 0 - fi - - echo "Waiting..." - sleep 30 - done -} - -for pipeline in $(${KUBECTL} -n ${tns} get pipelinerun --output=name); do - tkn_pr_wait 600 ${tns} ${pipeline} -done - -set -x - -fail="" -for pipeline in $(${KUBECTL} -n ${tns} get pipelinerun --output=name); do - status=$(${KUBECTL} -n ${tns} get ${pipeline} --output=jsonpath='{.status.conditions[*].status}') - reason=$(${KUBECTL} -n ${tns} get ${pipeline} --output=jsonpath='{.status.conditions[*].reason}') - if [[ "${status}" != "True" ]]; then - echo "Pipeline ${pipeline} failed with reason : ${reason}" - fail="true" - fi -done - -if [[ -n ${fail} ]]; then - ${KUBECTL} -n ${tns} get pipelineruns -o yaml - ${KUBECTL} -n ${tns} get taskruns -o yaml - for pod in $(${KUBECTL} -n ${tns} get pods --output=name); do - ${KUBECTL} -n ${tns} logs ${pod} --all-containers - done - exit 1 -fi diff --git a/tasks/buildah/0.6/tests/run.yaml b/tasks/buildah/0.6/tests/run.yaml deleted file mode 100644 index 4f1a0743..00000000 --- a/tasks/buildah/0.6/tests/run.yaml +++ /dev/null @@ -1,126 +0,0 @@ ---- -apiVersion: tekton.dev/v1beta1 -kind: PipelineRun -metadata: - name: buildah-test-pipeline-run -spec: - pipelineSpec: - workspaces: - - name: shared-workspace - - name: sslcertdir - optional: true - tasks: - - name: fetch-repository - taskRef: - name: git-clone - workspaces: - - name: output - workspace: shared-workspace - params: - - name: url - value: https://github.com/kelseyhightower/nocode - - name: subdirectory - value: "" - - name: deleteExisting - value: "true" - - name: buildah - taskRef: - name: buildah - runAfter: - - fetch-repository - workspaces: - - name: source - workspace: shared-workspace - - name: sslcertdir - workspace: sslcertdir - params: - - name: IMAGE - value: registry:5000/nocode - - name: test-buildah-results - params: - - name: OUTPUT_IMAGE - value: "$(tasks.buildah.results.IMAGE_URL)" - - name: ORIGINAL_IMAGE - value: registry:5000/nocode - taskSpec: - params: - - name: ORIGINAL_IMAGE - - name: OUTPUT_IMAGE - steps: - - name: evaluate - image: alpine - script: | - #!/usr/bin/env sh - [[ "$(params.ORIGINAL_IMAGE)" = "$(params.OUTPUT_IMAGE)" ]] && exit 0 || exit 1 - workspaces: - - name: shared-workspace - volumeClaimTemplate: - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 10Mi - - name: sslcertdir - configMap: - name: sslcert - defaultMode: 420 - items: - - key: ca.crt - path: ca.crt ---- -apiVersion: tekton.dev/v1beta1 -kind: PipelineRun -metadata: - name: buildah-test-skip-push-pipeline-run -spec: - pipelineSpec: - workspaces: - - name: shared-workspace - - name: sslcertdir - optional: true - tasks: - - name: fetch-repository - taskRef: - name: git-clone - workspaces: - - name: output - workspace: shared-workspace - params: - - name: url - value: https://github.com/kelseyhightower/nocode - - name: subdirectory - value: "" - - name: deleteExisting - value: "true" - - name: buildah - taskRef: - name: buildah - runAfter: - - fetch-repository - workspaces: - - name: source - workspace: shared-workspace - - name: sslcertdir - workspace: sslcertdir - params: - - name: IMAGE - value: registry:5000/nocode - - name: SKIP_PUSH - value: "true" - workspaces: - - name: shared-workspace - volumeClaimTemplate: - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 10Mi - - name: sslcertdir - configMap: - name: sslcert - defaultMode: 420 - items: - - key: ca.crt - path: ca.crt diff --git a/tasks/buildah/README.md b/tasks/buildah/README.md deleted file mode 100644 index 248eee79..00000000 --- a/tasks/buildah/README.md +++ /dev/null @@ -1,6 +0,0 @@ -# `buildah` task - -This is where we maintain the `buildah` Task. - -Versions: -- [0.6](./0.6) diff --git a/tasks/buildah/buildah.yaml b/tasks/buildah/buildah.yaml deleted file mode 100644 index 5dfe811c..00000000 --- a/tasks/buildah/buildah.yaml +++ /dev/null @@ -1,95 +0,0 @@ ---- -apiVersion: tekton.dev/v1beta1 -kind: Task -metadata: - name: buildah - labels: - app.kubernetes.io/version: "0.5" - annotations: - tekton.dev/categories: Image Build - tekton.dev/pipelines.minVersion: "0.17.0" - tekton.dev/tags: image-build - tekton.dev/platforms: "linux/amd64,linux/s390x,linux/ppc64le,linux/arm64" -spec: - description: >- - Buildah task builds source into a container image and - then pushes it to a container registry. - - Buildah Task builds source into a container image using Project Atomic's - Buildah build tool.It uses Buildah's support for building from Dockerfiles, - using its buildah bud command.This command executes the directives in the - Dockerfile to assemble a container image, then pushes that image to a - container registry. - - params: - - name: IMAGE - description: Reference of the image buildah will produce. - - name: BUILDER_IMAGE - description: The location of the buildah builder image. - default: quay.io/buildah/stable:v1.23.3 - - name: STORAGE_DRIVER - description: Set buildah storage driver - default: overlay - - name: DOCKERFILE - description: Path to the Dockerfile to build. - default: ./Dockerfile - - name: CONTEXT - description: Path to the directory to use as context. - default: . - - name: TLSVERIFY - description: Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry) - default: "true" - - name: FORMAT - description: The format of the built container, oci or docker - default: "oci" - - name: BUILD_EXTRA_ARGS - description: Extra parameters passed for the build command when building images. - default: "" - - name: PUSH_EXTRA_ARGS - description: Extra parameters passed for the push command when pushing images. - type: string - default: "" - - name: SKIP_PUSH - description: Skip pushing the built image - default: "false" - workspaces: - - name: source - - name: sslcertdir - optional: true - - name: dockerconfig - description: >- - An optional workspace that allows providing a .docker/config.json file - for Buildah to access the container registry. - The file should be placed at the root of the Workspace with name config.json. - optional: true - results: - - name: IMAGE_DIGEST - description: Digest of the image just built. - - name: IMAGE_URL - description: Image repository where the built image would be pushed to - steps: - - name: build - image: $(params.BUILDER_IMAGE) - workingDir: $(workspaces.source.path) - script: | - [[ "$(workspaces.sslcertdir.bound)" == "true" ]] && CERT_DIR_FLAG="--cert-dir $(workspaces.sslcertdir.path)" - [[ "$(workspaces.dockerconfig.bound)" == "true" ]] && export DOCKER_CONFIG="$(workspaces.dockerconfig.path)" - buildah ${CERT_DIR_FLAG} --storage-driver=$(params.STORAGE_DRIVER) bud \ - $(params.BUILD_EXTRA_ARGS) --format=$(params.FORMAT) \ - --tls-verify=$(params.TLSVERIFY) --no-cache \ - -f $(params.DOCKERFILE) -t $(params.IMAGE) $(params.CONTEXT) - [[ "$(params.SKIP_PUSH)" == "true" ]] && echo "Push skipped" && exit 0 - buildah ${CERT_DIR_FLAG} --storage-driver=$(params.STORAGE_DRIVER) push \ - $(params.PUSH_EXTRA_ARGS) --tls-verify=$(params.TLSVERIFY) \ - --digestfile /tmp/image-digest $(params.IMAGE) \ - docker://$(params.IMAGE) - cat /tmp/image-digest | tee $(results.IMAGE_DIGEST.path) - echo -n "$(params.IMAGE)" | tee $(results.IMAGE_URL.path) - volumeMounts: - - name: varlibcontainers - mountPath: /var/lib/containers - securityContext: - privileged: true - volumes: - - name: varlibcontainers - emptyDir: {}